Sussex Police website data breach under investigation

Sussex Police is continuing to investigate multiple security breaches of its website that saw the personal details of some staff and members of the public being illegally obtained over the Christmas period.

The e-mail addresses of a number of officers and citizens were obtained through three breaches of a contained area of the Sussex Police website, potentially impacting up to 270 people, according to an official statement released on Christmas Eve.

Although Sussex Police’s other ICT systems and operations are not thought to have been affected by the attacks, a spokesperson for the force said that work had been completed last week to ensure all IT systems were secure and resilient to prevent similar breaches. The force declined to provide further details on the nature of changes made to its systems, but confirmed that efforts were underway to try and identify those responsible.

"Our website is entirely separate to those systems used to investigate crime. The activity has not impacted on any other force IT, web or telephony systems and operational response is unaffected," said a statement. "There has been no impact on our service to the public."

Data regulator the Information Commissioner’s Office (ICO) meanwhile said it was aware of the "incident" involving Sussex Police and currently looking into the details of the case.

In regards to data protection measures required to be undertaken by UK police authorities, an ICO spokesperson said the regulator had an "authority neutral" policy regarding the responsibilities of public and private sector bodies under the Data Protection Act. The spokesperson added that under ICO policy, organisations were required to ensure security measures were appropriate for the sensitivity of information that they held.

As with any other private or public sector organisation handling personal data, the ICO said that any police force it found not in compliance with the Data Protection Act could face enforcement notices requiring immediate action to be taken to prevent further breaches. Failure to address the regulator’s concerns could then lead to Civil Monetary Penalties (CMP) being undertaken against an organisation, according to the ICO spokesperson.

Since April 2010, the ICO has had powers to issue monetary penalty notices of up to £500,000 for breaches of the Data Protection Act – with a number of public sector bodies facing fines of between £80,000 and £325,000 in recent years.